Contributed by jose on from the fix-your-httpd dept.
A user with write permission to httpd.conf or a .htaccess file can crash httpd(8) or potentially run arbitrary code as the user www (although it is believed that ProPolice will prevent code execution).You can find the patch here: 3.3/common/009_httpd.patch .
No word yet on 3.2-stable or any patch for the new 3.4-stable branch.
Update: Patch 004 for 3.4 has been released to fix this problem.
(Comments are closed)
By Scooter () on
Is the Apache2 running well for everyone? threads not a problem? any comments for the "worker" MPM?
TIA - Scooter
Comments
By mirabile () mirabile@bsdcow.net on https://MirBSD.BSDadvocacy.org:8890/
henning@'s dead body.
And I fully ACK that decision.
Apache 1.3 is already ugly enough, to begin with.
Comments
By Anonymous Coward () on
Its simple really..
Comments
By Pablo Méndez Hernández () ciph3r@telefonica.net on www.citfi.org
$ cat /etc/mk.conf
SKIPDIR+= usr.sbin/httpd
... will do that for you.
(I really apreciate henning@'s work with apache and don't do that on my machines)
By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg
By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/
I just wonder why the patch was made from /usr/src/usr.sbin instead of /usr/src as always.
Comments
By Henning Brauer () henning@ on mailto:henning@
sorry, didn't think about that.
By chris humphries () chris@unixfu.net on http://unixfu.net/
amazed it is still in by default, hey but it is secure cause it is turned off. just dont open door sendmail and door apache in your new house, other than that it is safe.
needs to be re-thunked? but i guess, like i do, if i dont like it, modify my configuration on the server :)
just curious of consistency with default software.